Gitlab docker registry not responding to remote docker pull

I’m having issue which is driving me crazy.

Gitlab and Registry configuration:

  • local instance of gitlab with local insecure registry and authentication via ldap
  • push to registry - working fine
  • pull from registry (local subnet) is working fine
  • pull from registry (remote subnet) is not working

Local PULL - Working fine

2017-12-16_00:29:09.17848 time="2017-12-16T01:29:09.178357847+01:00" level=warning msg="error authorizing context: authorization token required" environment=production go.version=go1.8.1 http.request.host="registry:5005" http.request.id=b2247e9f-42b5-4c20-b04c-9b125d705eda http.request.method=GET http.request.remoteaddr="10.10.10.11:33634" http.request.uri="/v2/" http.request.useragent="docker/17.05.0-ce go/go1.7.5 git-commit/89658be kernel/4.4.0-79-generic os/linux arch/amd64 UpstreamClient(Go-http-client/1.1)" instance.id=1d0afa35-7874-451e-b452-8567ae67fe39 service=registry version=v2.6.1-1-gdd544a8
2017-12-16_00:29:09.17854 10.10.10.11 - - [16/Dec/2017:01:29:09 +0100] "GET /v2/ HTTP/1.1" 401 87 "" "docker/17.05.0-ce go/go1.7.5 git-commit/89658be kernel/4.4.0-79-generic os/linux arch/amd64 UpstreamClient(Go-http-client/1.1)"
Started GET "/jwt/auth?account=gituser&scope=repository%3Agroup%2Fproject%2Fcpu-x86-generic%3Apull&service=container_registry" for 10.10.10.11 at 2017-12-16 01:29:09 +0100
Processing by JwtController#auth as HTML
  Parameters: {"account"=>"gituser", "scope"=>"repository:group/project/cpu-x86:pull", "service"=>"container_registry"}
Completed 200 OK in 21ms (Views: 0.2ms | ActiveRecord: 3.2ms)
2017-12-16_00:29:09.21340 time="2017-12-16T01:29:09.213328743+01:00" level=info msg="response completed" environment=production go.version=go1.8.1 http.request.host="registry:5005" http.request.id=0c135004-9303-45f0-bdbc-0f6712ac1c62 http.request.method=GET http.request.remoteaddr="10.10.10.11:33638" http.request.uri="/v2/group/project/cpu-x86/manifests/latest" http.request.useragent="docker/17.05.0-ce go/go1.7.5 git-commit/89658be kernel/4.4.0-79-generic os/linux arch/amd64 UpstreamClient(Go-http-client/1.1)" http.response.contenttype="application/vnd.docker.distribution.manifest.v2+json" http.response.duration=1.445587ms http.response.status=200 http.response.written=1158 instance.id=1d0afa35-7874-451e-b452-8567ae67fe39 service=registry version=v2.6.1-1-gdd544a8
2017-12-16_00:29:09.21344 10.10.10.11 - - [16/Dec/2017:01:29:09 +0100] "GET /v2/group/project/cpu-x86/manifests/latest HTTP/1.1" 200 1158 "" "docker/17.05.0-ce go/go1.7.5 git-commit/89658be kernel/4.4.0-79-generic os/linux arch/amd64 UpstreamClient(Go-http-client/1.1)"

Remote PULL - NOT Working (missing response completed)

2017-12-16_00:28:24.15421 time="2017-12-16T01:28:24.154107778+01:00" level=warning msg="error authorizing context: authorization token required" environment=production go.version=go1.8.1 http.request.host="registry:5005" http.request.id=e1f3a42d-922c-425c-bcf0-a21b566e2058 http.request.method=GET http.request.remoteaddr="10.10.20.2:41796" http.request.uri="/v2/" http.request.useragent="docker/17.09.1-ce go/go1.8.3 git-commit/19e2cf6 kernel/4.4.0-101-generic os/linux arch/amd64 UpstreamClient(Go-http-client/1.1)" instance.id=1d0afa35-7874-451e-b452-8567ae67fe39 service=registry version=v2.6.1-1-gdd544a8
2017-12-16_00:28:24.15429 10.10.20.2 - - [16/Dec/2017:01:28:24 +0100] "GET /v2/ HTTP/1.1" 401 87 "" "docker/17.09.1-ce go/go1.8.3 git-commit/19e2cf6 kernel/4.4.0-101-generic os/linux arch/amd64 UpstreamClient(Go-http-client/1.1)"
Started GET "/jwt/auth?account=gituser&scope=repository%3Agroup%2Fproject%2Fcpu-x86-generic%3Apull&service=container_registry" for 10.10.20.2 at 2017-12-16 01:28:24 +0100
Processing by JwtController#auth as HTML
  Parameters: {"account"=>"gituser", "scope"=>"repository:group/project/cpu-x86:pull", "service"=>"container_registry"}
Completed 200 OK in 33ms (Views: 0.1ms | ActiveRecord: 3.8ms)

Any idea what needs to be setup on registry side?